alc class - proposal for minimum assurance requirements
TRANSCRIPT
Certification Body - Spain. 14th International Common Criteria Conference.
© 2013 Centro Criptológico Nacional C/Argentona 20, 28023 MADRID
ALC class - Proposal for minimum assurance requirements
Luis M. Fernández
ALC class - Proposal for minimum assurance requirements
Proposal to enforce ALC SARs for
EAL2 certifications
Reuse of ALC class efforts applying
Site Certification procedures
Supply chain security assurance
within ALC class
Outline
12/09/2013 www.ccn.cni.es 2
ALC class - Proposal for minimum assurance requirements
Current Situation
Vision Statement The general security level of general ICT COTS certified products needs to be raised without severely impacting price and timely availability of these products
The level of standardization has to be increased by building Technical Communities (TC) developing collaborative Protection Profiles (“cPPs”) and supporting documents, in order to reach reasonable, comparable, reproducible and cost-effective evaluation results
The existing application of STs and PPs still applies, but its CCRA mutual recognition should be limited to EAL 2.
12/09/2013 www.ccn.cni.es 3
ALC class - Proposal for minimum assurance requirements
Current Situation
Security Assurance Requirements for
ALC class in EAL 2 certifications
Assurance
class
Assurance
Family
Assurance Components by Evaluation
Assurance Level EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7
Life-cycle support
ALC_CMC 1 2 3 4 4 5 5 ALC_CMS 1 2 3 4 5 5 5 ALC_DEL 1 1 1 1 1 1 ALC_DVS 1 1 1 2 2 ALC_FLR ALC_LCD 1 1 1 1 2 ALC_TAT 1 2 3 3
12/09/2013 www.ccn.cni.es 4
ALC class - Proposal for minimum assurance requirements
Current Situation
EAL 2 ALC class components ALC_CMC.2
TOE & CI labeled with unique reference.
ALC_CMS.2 Configuration list composed of the «parts» of the TOE and for each developer must be identified
ALC_DEL.1 Method of delivery to the TOE consumer. Secure delivery from developer.
12/09/2013 www.ccn.cni.es 5
ALC class - Proposal for minimum assurance requirements
ALC Proposal
Component rearrangement for EAL2
evaluations according to the Vision
Statement.
Assurance
class
Assurance
Family
Assurance Components by Evaluation
Assurance Level EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7
Life-cycle support
ALC_CMC 1 4 3 4 4 5 5 ALC_CMS 1 4 3 4 5 5 5 ALC_DEL 1 1 1 1 1 1 ALC_DVS 1 1 1 1 2 2 ALC_FLR 1 ALC_LCD 1 1 1 1 1 2 ALC_TAT 1 2 3 3
12/09/2013 www.ccn.cni.es 6
ALC class - Proposal for minimum assurance requirements
ALC_LCD.1
Development and
maintenance process within
an overall management
structure in the TOE Life-
Cycle
ALC_CMC.4
Automatic production of
TOE
Authorized changes to CI
CM plan and CMS
ALC_CMS.4
Implementation representation for the whole
TOE
Security flaws and resolution
status
ALC_FLR.1
Methods for dealing with all types of
flaws encountered
ALC_DVS.1
Site visit
Assessment of security procedures •Physical •Logical •Personnel
Confirm Evidence
12/09/2013 www.ccn.cni.es 7
ALC Proposal
ALC class - Proposal for minimum assurance requirements
ALC Proposal
Outline of security improvements within the proposal
Specific Life-cycle definition for the TOE
TOE produced by automated means
TOE fully identified (source code level) and managed
Development site(s) security measures evaluated
Procedures to address security flaws
12/09/2013 www.ccn.cni.es 8
ALC class - Proposal for minimum assurance requirements
You might think “This proposal increases the workload for CC certifications”
“Too much effort for this assurance level”
There is a possible answer.
Re-use the evaluation results. This is not a new idea. There is already a tool to use:
CCDB-2007-11-01 Site Certification
12/09/2013 www.ccn.cni.es 9
ALC Proposal
ALC class - Proposal for minimum assurance requirements
Site Certification
Site Certification process according to CCDB-2007-11-01
TOE independent CC certification to confirm that a specific development environment fulfills the CC requirements regarding ALC class.
These evaluation activities can be reused in a TOE evaluations later on.
Based on activities and procedures defined in the Life-cycle (ALC_LCD) and the claimed attack potential.
12/09/2013 www.ccn.cni.es 10
ALC class - Proposal for minimum assurance requirements
•Technical Community •SmartCards •Mobile Devices
•Certified ALC components •ALC_LCD.1 •ALC_CMC.4 •ALC_CMS.5 •ALC_DVS.2 •ALC_TAT.2 •ALC_FLR.1
Site A
•Technical Community •SmartCards •Certified ALC components •ALC_LCD.1 •ALC_CMC.4 •ALC_CMS.4 •ALC_DVS.2 •ALC_DEL.1
Site C
•Technical Community •SmartCards
•Certified ALC components •ALC_LCD.1 •ALC_CMC.4 •ALC_CMS.4 •ALC_DVS.2
Site D
•Technical Community •SmartCards
•Certified ALC components •ALC_LCD.1 •ALC_CMC.4 •ALC_CMS.4 •ALC_DVS.2
Site B
12/09/2013 www.ccn.cni.es 11
Site Certification
Splicing (reuse)
ST Conformance
Claim (cPP)
TOE ALC_LCD.1
•SmartCard cPP (e.g.)
•ALC_LCD.1 •ALC_CMC.4 •ALC_CMS.3 •ALC_DVS.2 •ALC_FLR.1 •ALC_TAT.2 •ALC_DEL.1
TOE Certificate
Analysis
Certificate check
ALC class - Proposal for minimum assurance requirements
Site Certification Efficiency and reuse of results for ALC class
There is a problem: Minimum assurance requirements for Site
Certification according to CCDB-2007-11-01:
12/09/2013 www.ccn.cni.es 12
This proposal makes compatible the Vision Statement with Site
Certification processes and supporting documents.
Minimum assurance
requirements
ALC_CMC.3
ALC_CMS.3
ALC_DVS.1
ALC_LCD.1
Current EAL2 components
ALC_CMC.2
ALC_CMS.2
ALC_DEL.1
ALC proposal components
ALC_CMC.4
ALC_CMS.4
ALC_DEL.1
ALC_DVS.1
ALC_LCD.1
ALC_FLR.1
ALC class - Proposal for minimum assurance requirements
Site Certification
Benefits For the TOE consumer
Security assessment of the whole TOE life-cycle
Supply chain assurance (as we’ll see later)
For the TOE developer
Maximum reuse of ALC class documentation
Obtain an additional Certificate to certify Development Site Security (similar to ISO 27000 approach)
Flexibility: combine certified sites in different countries decreasing ALC class evaluation efforts.
12/09/2013 www.ccn.cni.es 13
ALC class - Proposal for minimum assurance requirements
Supply Chain and ALC proposal The Council of Supply Chain Management Professionals defines
supply chain management as follows:
"Supply Chain Management encompasses the planning and management
of all activities involved in sourcing and procurement, conversion, and all
logistics management activities. Importantly, it also includes coordination
and collaboration with channel partners, which can be suppliers,
intermediaries, third-party service providers, and customers. […]”
All this activities are closely related to the TOE Life-Cycle as defined in
CC
12/09/2013 www.ccn.cni.es 14
•Current components ALC Supply Chain
Security
ALC class - Proposal for minimum assurance requirements
Supply Chain and ALC proposal TOE might be composed of different components and parts developed by different entities in different tiers.
CC considers the TOE as a whole and takes into account each part, so security assessment considers security maintenance processes for each component.
ALC proposal components supply chain coverage ALC_LCD.1 - provides definitions and procedures of phases on the development and security maintenance of the TOE. Documents should provide information about
Where each phase takes place? Site
Who is responsible of each phase? Organization
What activities are carried out in each phase (inputs/outputs)? Policies
How these activities are considered by each actor? Processes
12/09/2013 www.ccn.cni.es 15
ALC class - Proposal for minimum assurance requirements
Supply Chain and ALC proposal Once this information is provided then all the other ALC components
deeply address security issues related to the supply chain in each
phase.
12/09/2013 www.ccn.cni.es 16
ALC class - Proposal for minimum assurance requirements
ALC Proposal & Vision Statement Refinements to ALC components within iTCs and cPP.
iTC can refine ALC requirements and components to better fit them with
different technologies.
ALC supporting documents aligned with technologies in the scope of a
specific iTC.
Site Certificate recognition agreements between Schemes in iTC.
12/09/2013 www.ccn.cni.es 17
• Life-cycle definition • CI identification measures • CI Confidentiality & Integrity
measures • Minimum Site Requirements
Technical Communities
ALC class - Proposal for minimum assurance requirements
12/09/2013 www.ccn.cni.es 18
ALC Proposal & Vision Statement
Some ideas for refinements to ALC components in TC and cPP.
•Development & manufacturing
phases •Actors, roles and responsibilities •Common Policies and Processes
ALC_LCD.1
•Procedures to identify and track CI and TOE components
•Integrity control measures
ALC_CMC.4 & ALC_CMS.4
•Flaw remediation processes to address Supply Chain flaws. ALC_FLR.1 cP
P &
TC
Sup
porti
ng
Doc
umen
ts
ALC class - Proposal for minimum assurance requirements
12/09/2013 www.ccn.cni.es 19
ALC Proposal & Vision Statement
•Protect TOE integrity delivery to consumers •Traceability in the Supply Chain. ALC_DEL.1
•Minimum site requirements •Protect TOE CI integrity in internal deliveries
(subcontractors and development sites). •Accountability and traceability of CI •Rules to reuse Site Certificates depending on the
technology area.
ALC_DVS.1
Refinements to ALC components in TC and
cPP.
cPP
& T
C S
uppo
rting
D
ocum
ents
ALC class - Proposal for minimum assurance requirements
Alignment with the vision statement
12/09/2013 www.ccn.cni.es 20
ALC Proposal & Vision Statement
CCMC Vision
Statement
Enhance Security
Reuse CC ALC class
components
Minimize time and
efforts Site
Certification Component
Rearrangement
ALC class - Proposal for minimum assurance requirements
Enhance Security
Supply Chain
Security Assessment
Reuse of Results
iTC & cPP oriented
Compatible with Site
Certification
Conclusions
ALC proposal
12/09/2013 www.ccn.cni.es 21
ALC class - Proposal for minimum assurance requirements
12/09/2013 www.ccn.cni.es 22
ALC class - Proposal for minimum assurance requirements
Contact Information E-mail
Web Site: www.oc.ccn.cni.es
12/09/2013 www.ccn.cni.es 23
ALC class - Proposal for minimum assurance requirements
References [CCMB-2012-09-001] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1, R4, Sept. 2012
[CCMB-2012-09-003] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1, R4, Sept. 2012
[CCMB-2012-09-004] Common Methodology for Information Technology Security Evaluation: Version 3.1, R4, Sept.2012
[ 2012-09-001 ] Vision statement for the future direction of the application of the CC and the CCRA, version 2.0. Sept. 2012
[CCDB-2007-11-001] Site Certification, version 1.0. Oct. 2007.
12/09/2013 www.ccn.cni.es 24